远程PS会话在非域服务器上失败

我正在尝试使用Win8主机（相同子网，这是本地VM）中的PS连接到非域加入的远程Win2008R2服务器。尝试了所有我能找到的东西，没有任何效果。

服务器：

PS C:\Users\Administrator> winrm quickconfig
PS C:\Users\Administrator> enable-psremoting

客户：

PS C:\scripts> $cred = get-credential -username "administrator" -message "Enter password"

PS C:\scripts> $sess = new-pssession -computername 10.10.106.2 -credential $cred -authentication default
new-pssession : [10.10.106.2] Connecting to remote server 10.10.106.2 failed with the following error message : The
WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client
computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the
TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts
list might not be authenticated. You can get more information about that by running the following command: winrm help
config. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:9
  + $sess = new-pssession -computername 10.10.106.2 -credential $cred -authenticatio ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotingTransportException
    + FullyQualifiedErrorId : ServerNotTrusted,PSSessionOpenFailed

PS C:\scripts> winrm set winrm/config/client '@{TrustedHosts="10.10.106.2"}'
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the dest
ination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running o
n the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the
destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number:  -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is run
ning and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destinat
ion, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination t
o analyze and configure the WinRM service: "winrm quickconfig".

PS C:\scripts> $sess = new-pssession -computername 10.10.106.2 -credential $cred -usessl
new-pssession : [10.10.106.2] Connecting to remote server 10.10.106.2 failed with the following error message : WinRM
cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over
the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By
default, the WinRM firewall exception for public profiles limits access to remote computers within the same local
subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:9
  + $sess = new-pssession -computername 10.10.106.2 -credential $cred -usessl
  +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin   gTransportException
    + FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionOpenFailed

哦，RDP在具有相同凭据的那两个主机之间可以正常工作。

即使这样有效：

PS C:\scripts> Get-WinEvent -computername 10.10.106.2 -credential $cred

在客户端

winrm quickconfig
winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'

在服务器端

Enable-PSRemoting -Force
winrm quickconfig

对于https

winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname="_";CertificateThumbprint="_"}

对于http

winrm create winrm/config/Listener?Address=*+Transport=HTTP

测试

Test-WsMan ComputerName
Test-WsMan ComputerName -UseSSL

编辑：使用PowerShell设置TrustedHosts

或使用PowerShell（以管理员身份）

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

并检查（不需要管理员）

Get-Item WSMan:\localhost\Client\TrustedHosts

在这些错误消息之一中发现的问题是：

如果身份验证方案不同于Kerberos，或者客户端计算机未加入域，则必须使用HTTPS传输，或者必须将目标计算机添加到TrustedHosts配置设置中。

基本上，您需要将WinRM设置为使用HTTPS（而不是默认的HTTP），或者将要连接的计算机作为“受信任的主机”添加到要连接的计算机上。

我的问题是托管在AWS中的实例。

• 我必须在实例安全组上打开5985

• 我必须修改防火墙规则，以允许将5985用于所有配置文件和任何远程地址

  New-NetFirewallRule-名称PsRemotingHttp-方向入站-操作允许-协议tcp -LocalPort 5985 -DisplayName PsRemotingHttp

我在运行test-wsman时解决了这个问题：

“默认情况下，公共配置文件的WinRM防火墙例外会限制对同一本地子网内的远程计算机的访问。”

我终于让我上班了...其中xxx.xxx.xxx.xxx是IP地址。

PS C:\Users\Administrator> winrm quickconfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer.
PS C:\Users\Administrator> Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM is already set up for remote management on this computer.
PS C:\Users\Administrator> winrm set winrm/config/client '@{TrustedHosts="xxx.xxx.xxx.xxx"}'
Client
    NetworkDelayms = 5000
    URLPrefix = wsman
    AllowUnencrypted = false
    Auth
        Basic = true
        Digest = true
        Kerberos = true
        Negotiate = true
        Certificate = true
        CredSSP = false
    DefaultPorts
        HTTP = 5985
        HTTPS = 5986
    TrustedHosts = xxx.xxx.xxx.xxx

PS C:\Users\Administrator> Enter-PSSession  -ComputerName xxx.xxx.xxx.xxx -Credential "~\Administrator"
[xxx.xxx.xxx.xxx]: PS C:\Users\Administrator\Documents>

经过几个月的问题，对我来说，事实证明我需要将远程服务器的IP及其DNS名称都添加到受信任的主机中。仅添加IP是不够的！